SevOne NMS Port Number Requirements Guide
About
SevOne peers communicate with each other to maintain a consistent environment. Each peer needs the following ports open between each other.
Most ports use TLS as the encryption technology which can be negotiated based on the client and server configuration. Same is true for SSH. For some ports, the exact encryption method cannot be guaranteed. For example, SSL port 443 is based on the client's browser.
In this guide if there is,
- [any reference to master] OR
- [[if a CLI command contains master] AND/OR
- [its output contains master]],
it means leader.
And, if there is any reference to slave, it means follower.
Peer Port Assignments
Minimum Ports Required for NMS Cluster Operation
The minimum port requirement is a list of ports required by PAS and/or Between Peers.
IP (UDP/TCP)/ICMP | Encrypted | Encryption Type | Direction | Purpose |
---|---|---|---|---|
ICMP (*) | N | n/a |
-> PAS -> DNC -> HSA <-> Between Peers |
Interpeer Monitoring ICMP from and to devices and Interpeer Monitoring |
TCP 22 (*) | Y | SSH-based encryption - can be configured by an admin user. |
-> PAS -> DNC -> HSA <-> Between Peers -> iDRAC -> Data Insight |
SSH Access - remote login Required for SevOne Data Insight to update or Install Data Insight Reporting API (DIRA) |
TCP 80 | N | n/a |
-> PAS -> DNC -> HSA <-> Between Peers -> Data Insight |
HTTP, SOAP API, and AJAX Calls - End User Terminal UI port for Data Insight - Can be configured using environment variables. Data Insight uses port 80 to redirect any HTTP (80) requests to HTTPS (443) |
TCP 389 | N | n/a | PAS -> | LDAP (Clear text) Server port (not used for secure configurations) |
TCP 443 (*) | Y | TLS-based encryption - can be configured by an admin user. | -> PAS-> DNC-> HSA<-> Between Peers | For Livemaps in REST API, the Cluster Leader and Peer use HTTPS on port 443. If the connection is unavailable, it falls back and uses HTTP on port 80. |
TCP 443 (for AWS or Azure) |
Y | TLS-based encryption. |
-> AWS -> Azure |
For monitoring AWS or Azure services. Important: For AWS,
Calls are also made to endpoint https://sts.us-east-1.amazonaws.com/ to help with assuming IAM roles. |
TCP 636 | Y | TLS-based encryption. | PAS -> | LDAP (SSL) Server port |
TCP 873 | N | n/a | <-> Between Peers | RSYNC - Interpeer |
TCP 3306 (*) | Y | TLS-based encryption. | <-> Between Peers | MySQL - Interpeer |
TCP 3307 (*) | Y | TLS-based encryption. | <-> Between Peers | MySQL2 - Interpeer |
TCP 5051 | N | n/a | -> Export Destination | Raw Data Export - SevOne Raw Data Feed (optional for customer streaming data) |
TCP 8082 | N | n/a | -> PAS | SevOne Data Publisher status page (optional / configured) on by default |
TCP 8123 | n/a | n/a | <-> Between Peers | Squid (5.7.2), Polipo (5.7.1), Interpeer Proxy VMware vCenter |
TCP 8443 | Y | TLS-based encryption - can be configured by an admin user. | -> PAS | Secure port for SevOne Data Publisher status page (optional / configured) off by default |
TCP 9092 (*) | Y | TLS-based encryption. | <-> Between Peers | Apache Kafka |
TCP, UDP 9094 | N | n/a | -> Cluster Leader & HSA <-> Peers |
Prometheus Clustering: For Alertmanager high availability clustering Important: Peers connect to the Cluster Leader's port 9094 to report alerts and outages
as part of Prometheus. This port must be open to other peers in the cluster.
|
TCP 9443 | Y | TLS-based encryption | Web Browser <-> Cluster Leader |
Port is required for Self Service Upgrades. Important: For Self Service Upgrades, the Graphical User Interface installer binds the
Cluster Leader to TCP 9443 and runs a service (that the user connects to) through the browser using
HTTPS. If the Graphical User Interface installer is required, this port must be exposed.
|
TCP 60006 (*) | Y | <-> Between Peers | sshd server | |
TCP 60007 (*) | Y | ZMQ Curve-based encryption. | <-> Between Peers | SevOne-requestd Reserved - Interpeer |
UDP 123 | N | n/a |
-> PAS -> DNC -> HSA <-> Between Peers |
NTP Interpeer Time Sync NTP - Interpeer and to NTP time source |
UDP 161 | N | n/a |
PAS -> DNC -> HSA -> <-> Between Peers |
SNMP Interpeer Monitoring SNMP - to Devices and Interpeer |
UDP 162 | N | n/a |
-> PAS -> HSA <-> Between Peers |
SNMP Trap Interpeer Monitoring and from Devices (optional) |
UDP, TCP 514 (**) | N | n/a |
PAS -> <-> Between Peers |
Syslog |
UDP 6831 | N | n/a | -> PAS | (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6831 is a compact-thrift protocol. |
UDP 6832 | N | n/a | -> PAS | (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6832 is a binary-thrift protocol. |
HTTP 16686 (***) | N | n/a | -> PAS | (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port HTTP 16636 is to serve the frontend. |
(*) denotes that these ports are a must and absolutely required.
(**) denotes that Syslog is configurable.
(***) denotes that it is recommended to open the port when using Graphical User Interface from the web browser.
Additional Ports for Hot Standby Appliance (HSA) Deployment
The list below is for additional ports required for Hot Standby Appliance.
IP (UDP/TCP)/ICMP | Encrypted | Encryption Type | Direction | Purpose |
---|---|---|---|---|
ICMP (*) | N | n/a |
-> PAS -> DNC -> HSA <-> Between Peers |
Interpeer Monitoring ICMP from and to devices and Interpeer Monitoring |
TCP 22 (*) | Y | SSH-based encryption - can be configured by an admin user. |
-> PAS -> DNC -> HSA <-> Between Peers -> iDRAC |
SSH Access - remote login |
TCP 25 | N | n/a |
PAS -> HSA -> |
SMTP - to Mail server |
TCP 80 | N | n/a |
-> PAS -> DNC -> HSA <-> Between Peers -> Data Insight |
HTTP, SOAP API, and AJAX Calls - End User Terminal UI port for Data Insight - Can be configured using environment variables. Data Insight uses port 80 to redirect any HTTP (80) requests to HTTPS (443) |
TCP 443 (*) | Y | TLS-based encryption - can be configured by an admin user. |
-> PAS -> DNC -> HSA <-> Between Peers -> iDRAC -> Data Insight |
HTTPS - End User Terminal UI port for Data Insight - Can be configured using environment variables. Data Insight uses port 80 to redirect any HTTP (80) requests to HTTPS (443) |
UDP 123 | N | n/a |
-> PAS -> DNC -> HSA <-> Between Peers |
NTP Interpeer Time Sync NTP - Interpeer and to NTP time source |
UDP 161 | N | n/a |
PAS -> DNC -> HSA -> <-> Between Peers |
SNMP Interpeer Monitoring SNMP - to Devices and Interpeer |
UDP 162 | N | n/a |
-> PAS -> HSA <-> Between Peers |
SNMP Trap Interpeer Monitoring and from Devices (optional) |
UDP, TCP 53 | N | n/a |
-> PAS -> DNC -> HSA |
DNS |
(*) denotes that these ports are a must and absolutely required.
Required Ports for NMS Data Collection
IP (UDP/TCP)/ICMP | Encrypted | Encryption Type | Direction | Purpose |
---|---|---|---|---|
UDP 161 | N | n/a |
PAS -> DNC -> HSA -> <-> Between Peers |
SNMP Interpeer Monitoring SNMP - to Devices and Interpeer |
UDP 162 | N | n/a |
-> PAS -> HSA <-> Between Peers |
SNMP Trap Interpeer Monitoring and from Devices (optional) |
Required Ports for Remote Management
IP (UDP/TCP)/ICMP | Encrypted | Encryption Type | Direction | Purpose |
---|---|---|---|---|
TCP 22 (*) | Y | SSH-based encryption - can be configured by an admin user. |
-> PAS -> DNC -> HSA <-> Between Peers -> iDRAC |
SSH Access - remote login |
TCP 443 (*) | Y | TLS-based encryption - can be configured by an admin user. |
-> PAS -> DNC -> HSA <-> Between Peers -> iDRAC -> Data Insight |
HTTPS - End User Terminal UI port for Data Insight - Can be configured using environment variables. Data Insight uses port 80 to redirect any HTTP (80) requests to HTTPS (443) prometheus - for main data collection service (only runs on the Cluster Leader and its HSA) - uses port 80 (for HTTP protocol) and 443 (for HTTPS protocol). alertmanager - for main alerting service (only runs on the Cluster Leader and its HSA) - uses port 80 (for HTTP protocol) and 443 (for HTTPS protocol). |
UDP, TCP 5900 | Y | 128-bit SSL encryption. For additional details, please refer to https://www.dell.com/support/article/en-us/sln306877/dell-poweredge-how-to-configure-the-idrac9-and-the-lifecycle-controller-network-ip?lang=en#ports | -> iDRAC | iDRAC Virtual console Keyboard and Mouse connection |
UDP, TCP 5901 | Y | 128-bit SSL encryption. For additional details, please refer to https://www.dell.com/support/article/en-us/sln306877/dell-poweredge-how-to-configure-the-idrac9-and-the-lifecycle-controller-network-ip?lang=en#ports | -> iDRAC | iDRAC Virtual console Video connection |
(*) denotes that these ports are a must and absolutely required.
Other Product Integration
SevOne Data Insight (SDI) Deployment
IP (UDP/TCP)/ICMP | Encrypted | Encryption Type | Direction | Purpose |
---|---|---|---|---|
TCP 22 (*) | Y | SSH-based encryption - can be configured by an admin user. | -> PAS-> Data Insight | Required for SevOne Data Insight to update or Install Data Insight Reporting API (DIRA) |
TCP 80 | N | n/a |
-> PAS -> DNC -> HSA <-> Between Peers -> Data Insight |
HTTP, SOAP API, and AJAX Calls - End User Terminal UI port for Data Insight - Can be configured using environment variables. Data Insight uses port 80 to redirect any HTTP (80) requests to HTTPS (443) |
TCP 443 (*) | Y | TLS-based encryption - can be configured by an admin user. |
-> PAS -> DNC -> HSA <-> Between Peers -> iDRAC -> Data Insight |
HTTPS - End User Terminal UI port for Data Insight - Can be configured using environment variables. Data Insight uses port 80 to redirect any HTTP (80) requests to HTTPS (443) |
TCP 2379 - 2380 (*) | N | n/a | -> Data Insight |
Required only for HA with embedded etcd Source: K3s server nodes |
TCP 3000 (**) | N | n/a | Web Browser<-> Data Insight | Required for the Graphical User Interface Installer |
TCP 3001 (**) | N | n/a | Web Browser<-> Data Insight | Required for the Graphical User Interface Installer's backend (API) |
TCP / UDP 5052 | Y | TLS-based encryption - can be configured by an admin user. | -> NMS-> Data Insight |
Important: Only applies for SevOne Data Insight versions <= 1.6.0
DSPlugin (Data Insight access for its NMS data source peer) |
TCP 6443 (*) | N | n/a | -> Data Insight |
Kuberbetes API Server Source: K3s agent nodes |
TCP 10250 (*) | N | n/a | -> Data Insight |
Kubelet metrics Source: K3s server and agent nodes |
UDP 6831 | N | n/a | -> PAS | (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6831 is a compact-thrift protocol. |
UDP 6832 | N | n/a | -> PAS | (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6832 is a binary-thrift protocol. |
UDP 8472 | N | n/a | -> Data Insight |
Required only for Flannel VXLAN Source: K3s server and agent nodes Note: The nodes need to be able to reach other nodes over UDP port 8472 when Flannel VXLAN is used.
The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make
outbound connections to the server and all kubelet traffic runs through that tunnel. However, if you
do not use Flannel and provide your own custom CNI, then port 8472 is not needed by K3s.
Important: The VXLAN port on nodes should not be exposed to the world as it opens up
your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that
disables access to port 8472.
|
HTTP 16686 (**) | N | n/a | -> PAS | (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port HTTP 16636 is to serve the frontend. |
(*) denotes that these ports are a must and absolutely required.
(**) denotes that it is recommended to open the port when using Graphical User Interface from the web browser.
SevOne Data Publisher (SDP) Deployment
IP (UDP/TCP)/ICMP | Encrypted | Encryption Type | Direction | Purpose |
---|---|---|---|---|
TCP 8082 | N | n/a | -> PAS | SevOne Data Publisher status page (optional / configured) on by default |
TCP 8443 | Y | TLS-based encryption - can be configured by an admin user. | -> PAS | Secure port for SevOne Data Publisher status page (optional / configured) off by default |
TCP 9092 (*) | Y | TLS-based encryption. | <-> Between Peers | Apache Kafka |
TCP 9443 (**) | Y | TLS-based encryption. | Web Browser <-> Cluster Leader |
Port is required for Self Service Upgrades. Important: For Self Service Upgrades, the Graphical User Interface installer binds the
Cluster Leader to TCP 9443 and runs a service (that the user connects to) through the browser using
HTTPS. If the Graphical User Interface installer is required, this port must be exposed.
|
(*) denotes that these ports are a must and absolutely required.
(**) denotes that it is recommended to open the port when using Graphical User Interface from the web browser.
Solutions Deployment
The following table provides port number requirements for Cisco SDN, Enterprise WiFi Monitoring, and SD-WAN (Fortinet, Velocloud, Versa and Viptela collectors).
Solution | IP (UDP/TCP)/ICMP | Direction | Purpose | |
---|---|---|---|---|
SDN | TCP 80 (HTTP) | -> PAS | The API config / communication port | |
TCP 443 (HTTPS) | -> PAS |
The API config / communication port Required for,
|
||
UDP 6831 | -> PAS | (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6831 is a compact-thrift protocol | ||
UDP 6832 | -> PAS | (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6832 is a binary-thrift protocol | ||
HTTP 16686 (*) | -> PAS | (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port HTTP 16636 is to serve the frontend | ||
WiFi | TCP 80 | -> PAS | PAS REST API config / collection port | |
TCP 443 | -> PAS | The API config / communication port | ||
TCP 3306 | -> PAS | MySQL port | ||
UDP 6831 | -> PAS | (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6831 is a compact-thrift protocol | ||
UDP 6832 | -> PAS | (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6832 is a binary-thrift protocol | ||
HTTP 16686 (*) | -> PAS | (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port HTTP 16636 is to serve the frontend | ||
SD-WAN | Fortinet | TCP 80 (HTTP) | -> PAS-> FortiManager | The API config / communication port |
TCP 443 (HTTPS) | -> PAS-> FortiManager |
The API config / communication port Required for,
|
||
Velocloud | TCP 80 (HTTP) |
-> PAS -> Velocloud / VMware orchestrator |
The API config / communication port | |
TCP 443 (HTTPS) | -> PAS-> Velocloud / VMware orchestrator |
The API config / communication port Required for,
|
||
Versa | TCP 443 (Outbound) | -> PAS | Address: NMS server; for NMS API port | |
TCP 3000 (*) | Web Browser<-> Collector Leader Node |
Required for the Graphical User Interface Installer For Client, config file location is /etc/sevone-guii/client.yaml |
||
TCP 3001 (*) | Web Browser<-> Collector Leader Node |
Required for the Graphical User Interface Installer's backend (API) For API, config file location is /etc/sevone-guii/api.yaml |
||
TCP 6443 | Worker -> Master node | K3s supervisor & Kubernetes API Server. The K3s server needs port 6443 to be accessible by all nodes |
||
UDP 6831 | -> PAS | (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6831 is a compact-thrift protocol | ||
UDP 6832 | -> PAS | (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6832 is a binary-thrift protocol | ||
UDP 8472 | <-> Between nodes | Flannel VXLAN backend The nodes need to be able to reach other nodes over UDP port 8472 when using the Flannel VXLAN backend. However, if you do not use Flannel and provide your own custom CNI, then the ports needed by Flannel are not needed by K3s |
||
TCP 9182 | -> vDirector | API port number of targeted vDirector | ||
TCP 9992 (Inbound) | -> Collector Nodes | Flow syslogs from Versa devices | ||
TCP 9996(Outbound) | Collector Nodes -> DNC | Address: NMS DNC server; for Flow Augmentor output; required for DNC where the flows are being sent | ||
TCP 10250 | <-> Between nodes | Kubelet metrics - all nodes must be accessible to each other on port 10250 | ||
HTTP 16686 (*) | -> PAS | (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port HTTP 16636 is to serve the frontend | ||
TCP 50001 (Inbound) | -> Collector Nodes | Versa Syslogs from Versa Analytics server (The port on which the collector listens for non-flow syslog data sent by Versa Analytics); required for the log exporter to send UDP data to collector and Syslog data in kvp format | ||
Viptela | TCP 443 (Outbound) | Collector Nodes -> PAS-> vManage | Address: vManage server; for Viptela vManage APIAddress: NMS server; for NMS API port | |
TCP 3000 (*) |
Web Browser <-> Collector Leader Node |
Required for the Graphical User Interface Installer For Client, config file location is /etc/sevone-guii/client.yaml |
||
TCP 3001 (*) | Web Browser<-> Collector Leader Node |
Required for the Graphical User Interface Installer's backend (API) For API, config file location is /etc/sevone-guii/api.yaml |
||
TCP 6443 | Worker -> Master node | K3s supervisor and Kubernetes API Server. The K3s server needs port 6443 to be accessible by all nodes |
||
UDP 6831 | -> PAS | (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6831 is a compact-thrift protocol | ||
UDP 6832 | -> PAS | (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6832 is a binary-thrift protocol | ||
TCP 8443 (Outbound) | -> vManage | Address: vManage server; for Viptela vManage API | ||
UDP 8472 | <-> Between nodes | Flannel VXLAN backend The nodes need to be able to reach other nodes over UDP port 8472 when using the Flannel VXLAN backend. However, if you do not use Flannel and provide your own custom CNI, then the ports needed by Flannel are not needed by K3s |
||
TCP 9995 (Inbound) | -> Collector Nodes | Flow Augmentor input (The port on which Flow Augmentor listens for inbound flows. The port number can range from 9000 - 33000) | ||
TCP 9996 (Outbound) | Collector Nodes -> DNC | Address: NMS DNC server; for Flow Augmentor output; required for DNC where the flows are being sent | ||
TCP 10250 | <-> Between nodes | Kubelet metrics - all nodes must be accessible to each other on port 10250 | ||
HTTP 16686 (*) | -> PAS | (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port HTTP 16636 is to serve the frontend |
(*) denotes that it is recommended to open the port when using Graphical User Interface from the web browser.
SevOne Distributed Netflow Connector (DNC) Deployment
IP (UDP/TCP)/ICMP | Encrypted | Encryption Type | Direction | Purpose |
---|---|---|---|---|
ICMP (*) | N | n/a |
-> PAS -> DNC -> HSA <-> Between Peers |
Interpeer Monitoring ICMP from and to devices and Interpeer Monitoring |
TCP 22 (*) | Y | SSH-based encryption - can be configured by an admin user. |
-> PAS -> DNC -> HSA <-> Between Peers -> iDRAC |
SSH Access - remote login |
TCP 80 | N | n/a |
-> PAS -> DNC -> HSA <-> Between Peers -> Data Insight |
HTTP, SOAP API, and AJAX Calls - End User Terminal UI port for Data Insight - Can be configured using environment variables. Data Insight uses port 80 to redirect any HTTP (80) requests to HTTPS (443) |
TCP 443 (*) | Y | TLS-based encryption - can be configured by an admin user. |
-> PAS -> DNC -> HSA <-> Between Peers -> iDRAC -> Data Insight |
HTTPS - End User Terminal UI port for Data Insight - Can be configured using environment variables. Data Insight uses port 80 to redirect any HTTP (80) requests to HTTPS (443) |
UDP 123 | N | n/a |
-> PAS -> DNC -> HSA <-> Between Peers |
NTP Interpeer Time Sync NTP - Interpeer and to NTP time source |
UDP 161 | N | n/a |
PAS -> DNC -> HSA -> <-> Between Peers |
SNMP Interpeer Monitoring SNMP - to Devices and Interpeer |
UDP 6343 | N | n/a | -> DNC | sFlow data to DNC (configurable / optional) |
UDP 9996 | N | n/a | -> DNC | Netflow data (sampled / non-sampled) to DNC (configurable) |
UDP, TCP 53 | N | n/a |
-> PAS -> DNC -> HSA |
DNS |
(*) denotes that these ports are a must and absolutely required.